Yesterday while looking for some malspam, I came across some emails that used the CVE-2017-11882 exploit which leveraged an AutoIT script to launch the Remcos keylogger process which used some anti-sandbox techniques as well. For some more information about the CVE, please see the following links:

This infection starts off like any other infection. The user is socially engineered into believing that the “quote” is very important and needs to be acted on. This CVE (CVE-2017-11882), much like CVE-2017-0199, requires the user to open the document for the infection chain to be kicked off and nothing more. Most users would think that the file is a Word doc, but upon closer examination of the file we can see that it is a RTF file instead.

head RFQ\ File.doc
{\rtf{\object\objocx\objupdate\objw7268\objh8697{\*\objdata...<shortened for read-ability>...

Opening the file on my test VM, I was greeted with an error message as seen below. Once I clicked past the error message I was left with a blank Word doc.

When I looked at Process Monitor and then the Process Tree option, I could see that the exploit worked, and the equation editor kicked off which downloaded a file called “gist[1].exe.”

This file was copied from the Temporary Internet Files directory to the Roaming folder which then was executed and started as a new process.

Once the “namegh.exe” process started up, it created numerous new files under the “C:\Users\%username%\AppData\Local\Temp\01644247” folder. This makes sense since this file is nothing more than a self-extracting RAR file as noted below.

One of these files is called “enj.exe” which I saw had an command line argument at the end of the command:

Looking at the “cgr=agr” file within Notepad++ I noticed that this looked to be more of a script. Trying to modify this file proved pointless at first since it had been set with a “read-only” flag as you can see from the cleaned up version of this script below. Unfortunately I am not sure what language this is in – maybe AutoIT?

Two things that I would like to call out here is the fact that 1) the script checks to see if there is an “Avastui.exe” process running and if so, pause the execution for 333.33333 hours and 2) there is another pause for this infection of 30 seconds.

At the top of the above script, there is call for another file in the same directory called “ujb.mp4” which contains some other bits that look like it may be used in the “cgj=agr” script.

After this ran, the “enj.exe” started up a child process of itself and passed another command line argument as well.

Unfortunately this file got deleted once the process finished so I am not sure what was in that file or how it played a role in this infection.

It is here that persistence was created by adding a key to the Windows run registry key.

Next, I believe, that the “ujb.mp4” file in the “01644247” folder helped setup the next child process – the “regsvcs.exe” process. I say this since there were a lot of read operations from the “enj.exe” (PID 3056) process to the “ujb.mp4” file, which then shortly after the “regsvcs.exe” process was created and executed.

Once this process was up and running, there was a new registry key that was created: “HKCU\Software\Fmt-W5SO9H\.”

I also saw this process looking through the file system and through the registry querying what looked to be files/keys related to what I can assume is Internet access. This would make sense since this was the process responsible for reaching out to the IP address of 188.209.52.202:1667 from time to time as seen in the screen captures below. This process also created the folder called “skype” which contained an encrypted “logs.dat” file. I can only surmise that this was the compromised site that the keylogger was uploading the “logs.dat” file to.

***Note: I did see a reference to a “C&C” in the string output for this process that I mention at the bottom of this post.

This process (regsvcs.exe – PID 2512) then finally created the “svchost.exe” process. Based on the Process Monitor logs I am not seeing anything really happening with this process.

The other thing that intrigued me was what I could figure out from the processes “regsvcs.exe – PID 2512” and “svchost.exe – PID 352.” Using the tool strings2, I ran the following command to have it take a snapshot of what was in the process and if there was anything of interest in there.

Below are some of the more interesting items that I found when looking through the strings output of regsvcs.exe – PID 2512. There are some bits of a script, a reference to the UAC bypass technique, and Remcos as well. Odd thing is that I did not see this being executed (the UAC bypass that is). I also saw logged keys and applications that were opened on the VM. I also saw aspects that I saw from the network traffic and also some of the files and locations used in this infection.

When performing this same activity for the svchost.exe – PID 352 process I was not able to find much in that log that stood out to me.